Have government lawyers “winced” at “cyber bomb” statements? If so, it may be about norm development
Is there anything legally problematic about government officials equating cyber operations as being “just like” dropping “bombs”? Before getting to that, let’s consider a little context.
In recounting progress in the campaign against the Islamic State of Iraq and the Levant (ISIL) the President announced in mid-April that “cyber operations are disrupting their command-and-control and communications.” This followed Feb. 29th news conference statements along the same lines by Secretary of Defense Ashton B. Carter (and echoed by Chairman of the Joint Chiefs of Staff General Joseph F. Dunford).
Carter said that the U.S was “using cyber tools to disrupt ISIL’s ability to operate and communicate over the virtual battlefield.” In response to a follow-up question he added:
With respect to cyber, I think you’re referring to our use of cyber which we have talked about generally. In the counter-ISIL campaign in — particularly in Syria to interrupt, disrupt ISIL’s command and control, to cause them to lose confidence in their networks, to overload their network so that they can’t function, and do all of these things that will interrupt their ability to command and control forces there, control the population and the economy.
Here’s something else from that news conference to keep in mind as we examine this issue: Carter also said: “because the methods we’re using are new, some of them will be surprising and some of them are applicable to other challenges that I described, other than ISIL, that we have around the world.” (Italics added.)
To me it’s obvious that the U.S. wants the world to know (likely as a means of enhancing deterrence) that it has offensive cyber capabilities, and is willing to use them. This also appears to be part of an orchestrated effort by the U.S. to take the lead in developing internationally accepted norms as to the use of cyber methodologies in armed conflict (something I support).
Doing so would be a logical follow-on to the inclusion in the 2015 Department of Defense Law of War Manual of a chapter on cyber operations. In many respects, this is a very important policy initiative that would have been unheard of even just a few years ago, and one that could be seen as answering critics concerned about paucity (until recently) of expressions of official views of the U.S. and other countries. Indeed, the New York Times pointed out in an April 24th article that “[a]s recently as four years ago, [the Pentagon] would not publicly admit to developing offensive cyberweapons or confirm its role in any attacks on computer networks.”
The U.S.’s new openness and assertiveness about cyber operations is particularly meaningful because the views of the U.S. – as a “specially affected State” vis-à-vis cyber – would be quite influential in developing norms as to how international law assesses cyber activities in wartime. But what kinds of cyber activities are we talking about?
Besides what Secretary Carter relayed, the Times claims that “interviews with more than a half-dozen senior and midlevel officials” indicated that “the plan is to imitate [ISIL commanders] or to alter their messages, with the aim of redirecting militants to areas more vulnerable to attack by American drones or local ground forces.” According to the Times, officials also said that the U.S. may use “cyberattacks to interrupt electronic transfers and misdirect payments” involving ISIL.
Nevertheless, some consternation apparently arose when the Deputy Secretary of Defense Robert O. Work mentioned that “[w]e are dropping cyberbombs” on ISIL. The Times said “some of Mr. Work’s colleagues acknowledged that they had winced when he used the term, because government lawyers have gone to extraordinary lengths to narrowly limit cyberattacks to highly precise operations with as little collateral damage as possible.” Actually, Mr. Work was only reiterating what his boss, Secretary Carter, had told NPR on February 28th:
I’m talking about attacking the ability of someone sitting in Raqqa to command and control ISIL forces outside of Raqqa or to talk to Mosul or even to talk to somebody in Paris or to the United States. So these are strikes that are conducted in the war zone using cyber essentially as a weapon of war. Just like we drop bombs, we’re dropping cyber bombs. (Italics added.)
In any event, the Times’ explanation of the ‘wincing’ is a bit puzzling to me because in an era of precision-guided munitions equating a cyber-operation to a “bomb” does not, ipso facto, suggest imprecision or extensive collateral damage. But saying that cyber operations are “just like” dropping “bombs” does imply significant physical effects, and that is – legally speaking – rather important.
Specifically, much more than de minimis permanent physical damage caused by a cyber-technique could result in its employment being characterized as a use of force under international law, and that carries a number of legal implications far more consequential than one that isn’t considered as rising to that level. Yet determining exactly what constitutes “force” in the cyber realm has been tricky and controversial. Here’s how the DoD Law of War Manual explains it:
Article 2(4) of the Charter of the United Nations states that “[a]ll Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.”
Cyber operations may in certain circumstances constitute uses of force within the meaning of Article 2(4) of the Charter of the United Nations and customary international law. For example, if cyber operations cause effects that, if caused by traditional physical means, would be regarded as a use of force under jus ad bellum, then such cyber operations would likely also be regarded as a use of force. Such operations may include cyber operations that: (1) trigger a nuclear plant meltdown; (2) open a dam above a populated area, causing destruction; or(3) disable air traffic control services, resulting in airplane crashes. Similarly, cyber operations that cripple a military’s logistics systems, and thus its ability to conduct and sustain military operations, might also be considered a use of force under jus ad bellum. (Bolding added.)
What all this could mean is that “government lawyers” are concerned about establishing an international norm that equates the cyber operations now being employed against ISIL as a “use of force.” In other words, if those cyber operations really are “just like” dropping “bombs” it conjures up notions of effects much the same as those “caused by traditional physical means” as the Law of War Manual puts it, and that is “force” within the meaning of international law.
Why would this be important? Though the U.S. is already engaged in a lawful armed conflict against ISIL, that may not necessarily the case with the “other challenges” beyond ISIL to which Carter suggested the same cyber methods may be “applicable.”
If those “challenges” (and especially those that are nation-states) who are on the receiving end of the same cyber methods the U.S. may be using against ISIL consider the operations as being “just like” having “bombs” dropped on them, that could provide legal support for a response of a kind that the U.S. does not intend to trigger.
Here’s why: when the Law of War Manual talks about cyber operations that are “considered a use of force under jus ad bellum” it is referencing the kind of scale and intensity of force that would permit a nation to respond in self-defense. Consider that Article 51 of the UN Charter explicitly preserves the “inherent right of individual or collective self-defense if an armed attack occurs against” a member State. (The U.S. considers “force” as used in Article 2 (4) as conterminous with “armed attack” as used in Article 51 – see paragraph 220.127.116.11 of the Law of War Manual.)
Put another way, despite the “cyber bomb” statements of the DoD officials, the U.S. may yet want international norms to consider the techniques being used against ISIL, though harmful to them, as still being below the threshold of the legal interpretation of “force” as found in Article 2(4) of the UN Charter or “armed attack” as used in Article 51. This is especially so if the “challenges” that it has “around the world” are entities with which the U.S. is not currently engaged in an armed conflict against, and with whom it does not wish to start one.
For example, it’s possible that the U.S. government lawyers don’t want a norm to develop that would hold that a cyber-method that only produces a temporary disruption of communications (and which doesn’t produce any lasting physical damage) to be “just like” dropping a traditional “bomb.”
In fact, it may well be in the U.S. interest to have available an array of cyber methodologies (to include some or all those being used against ISIL) that can create effects on opponents advantageous to the U.S. yet do not breach the UN Charter because they would not, from a legal perspective, amount to a use of “force.” Of course, we need to remember that below the threshold of force cyber operations can be unfriendly and harmful in a non-kinetic sense, and thus carry their own legal complexities (which will be addressed by the forthcoming Tallinn 2.0 Manual).
Still, I think it’s important for the U.S. to avoid appearing to characterize its cyber activities as uses of “force” if it’s not really necessary to do so. Accordingly, it needs to be careful about what messages it might unintentionally send to the international community as to what is – or is not – “just like” dropping “bombs.”